LogRhythm NextGen SIEM Platform

Blog

It’s National Cyber Security Awareness Month, and the theme for the final week is “Building Resilience in Critical Infrastructure.” So why is this a focus for the National Cyber Security Alliance? Well initially, cyber threats were focused on profitable data breaches with an attainable payload (e.g., credit card information, industry secrets, etc.). But now, nation states and hacktivist groups are focusing on accessing and disrupting critical infrastructure in the United States.

Building and implementing a next-generation security operations center (SOC) can seem like a daunting endeavor. The sheer number of technologies to consider, which seems to grow regularly, creates a dizzying array of technical options and capability permutations.

By utilizing network data generated by NetMon, the LogRhythm Security Intelligence and Analytics platform can whitelist normal network behavior and can generate an alert when a new network service is detected. But in order to gather the complete picture you also need user and endpoint visibility. This brings us back full circle to the importance of holistic analytics. I’ll discuss a real world example showing how holistic analytics can help you detect new network services and potentially avoid a similar incident.

LogRhythm NetMon is a powerful forensics tool that allows organizations to capture, analyze, and alert on network data. Traditionally, NetMon is deployed on a blade server within an organization’s data center. However, there are many situations where a smaller, more tactical device is the optimal solution. To demonstrate how to easily deploy NetMon we decided to show you how to build a miniature device.

On September 22nd, 2016, Yahoo confirmed that they were victim to a state-sponsored attack that compromised 500 million user accounts. According to Yahoo, "The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and in some cases, encrypted or unencrypted security questions and answers." Yahoo is recommending users change their passwords and review their accounts for suspicious activity.

In this field, we know that gathering evidence is critical to identifying the attack vector, understanding how to stop the attack quickly, and moving ongoing investigations further. One of the best ways to gather forensic evidence is through network monitoring.

When it comes to correlation capabilities, LogRhythm has you covered. With AI Engine you can perform a variety of activities, from observing a single activity to applying advanced behavior rules across multiple dimensions (entities, devices, log sources, metadata, etc.). In addition to some of the more obvious capabilities, I’m here to tell you about one not so known feature of AI Engine called Temporal Chain Normalization (TCN).

For the LogRhythm Challenge at Black Hat USA this year, we wanted to give participants the opportunity to use several different analytic skills in their attempt to beat the challenge. The goal of the challenge was to identify exfiltrated data from Swish Inc., a fictional video streaming company who was recently exposed as having data leaked to a public file sharing site. We’ll tell you how to find each of the hidden flags within the PCAP.